And I see packets incremented when I ping these IPs.
Now I would like to change the scenario a bit by excluding loopback9 (9.9.9.9) from encryption but still be able to ping it.
To accomplish it we need to add an access list and specify which IPs should be encrypted:

* do not try here any l4 (will be ignored) access list or deny
statement because everything from this acl will be added, permit and
deny too (!)
And then the acl needs to be added to the isakmp client configuration:

crypto isakmp client configuration group CG
acl 101

I reconnected once again and we can notice that now only specified
IPs/subnets are secured and the rest is not (split-tunneling):

Let’s test it:

As you see pings to 7.7.7.7 and 8.8.8.8 go over the tunnel (packet encrypted/decrypted increased).
Now let’s test 9.9.9.9 that should be sent via the tunnel:

As you see I can ping this IP and I see only more ‘bypassed’ packet. Encrypted/decrypted are still 8.
Now I would like to improve the security and add ACL to protect these two IPs and deny any traffic from the Internet:

Hosts accessible only via the VPN: 7.7.7.7, 8.8.8.8

Host accessible from Internet and it shouldn’t never go through the VPN: 9.9.9.9